To encode or not to encode, that is the JWT question

The Atlassian guide on JWT for Connect apps appears to contradict itself.

It instructs us:

In the case of repeated parameters, append the encoded ',' character (i.e., "%2C" ) and subsequent percent-encoded values.

… but it uses an unencoded comma to separate the values of the ‘repeated’ parameter in:


Would somebody in the know please clarify which is correct: the encoded command or the unencoded comma? Many thanks.

Hey there,

I quickly tested it with

const jwt = require("atlassian-jwt")

const req = jwt.fromMethodAndUrl('GET', '/rest/resource/you/want?repeat=1&repeat=2&foo=bar,buzz');

console.log(jwt.createCanonicalRequest(req, false, ""))
// => GET&/rest/resource/you/want&foo=bar%2Cbuzz&repeat=1,2

So I guess this means:

  1. If it’s repeated, use comma
  2. If comma is already used, encode it
1 Like

From Bitbucket’s QSH docs, I also confirm, “In the case of repeated parameters, concatenate sorted values with a , character.”

1 Like

Thanks, @FabianSiegel1 and @ibuchanan. It seems that the documentation is in error then. I forget the process for submitting documentation bugs - will the relevant people see this, do you think?

1 Like

Hey @david.pinn ,

To help improve the documentation at a particular location, you can click the “rate this page” link which will pop up a dialog in which you can add some feedback such as suggestions on improvements. To save you, I’ve internally notified the team responsible for this content.


1 Like